[DUG] Contact form page
Stefan Mueller
muellers at orcl-toolbox.com
Wed Mar 19 23:18:01 NZDT 2014
It’s probably from a spam bot.
Don’t forget that data validation needs to happen client side and server side. Server side because if a user has javascript disabled it wouldn’t be validated … and also, nothing really stopping a bot from posting data directly without even requesting the page.
The usual ways to cut down on bots posting include Captcha, using Cookies/Sessions with CSRF tokens to make sure only someone who requested the page can actually post, checking the content with Aksimet/Defensio/etc for spam content … and so on.
PS: It’s one of the reasons why I am not big on PHP. In PHP you kind of have to implement and handle this kind of security checking in every single form you do … and if you forget something somewhere then your website is under risk of getting abused/hacked. The asp.net framework does handle all of this basics for you out of the box. I feel very confident my websites will hold up much better to attacks then anything written in PHP. Don’t get me wrong, I am not suggesting you ditch PHP just for your simple contact form, that would be overkill - just proof your php script better! But if you ever plan on doing something a bit bigger more complex with multiple input forms then I seriously suggest you think twice before using PHP.
Kind regards,
Stefan Mueller,
R&D Manager
ORCL Toolbox Ltd.
Auckland, New Zealand
P Please consider the environment before printing this email
This message is intended for the adresse named above and may contain privileged or confidential information.
If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone.
From: delphi-bounces at listserver.123.net.nz [mailto:delphi-bounces at listserver.123.net.nz] On Behalf Of David O'Brien
Sent: Wednesday, 19 March 2014 8:19 p.m.
To: NZ Borland Developers Group - Delphi List
Subject: Re: [DUG] Contact form page
Possibly a Unicode or language problem?
Sent from my Windows Phone
_____
From: John C <mailto:jc at sunshinesoftware.co.nz>
Sent: 19/03/2014 8:16 p.m.
To: NZ Borland Developers Group - Delphi List <mailto:delphi at delphi.org.nz>
Subject: [DUG] Contact form page
Hi all
I have this website with a contact page (in PHP & html) where any person can submit a request with their contact details which is emails to me after clicking a submit button.
All works fine, however. So now and then I receive an email from this website/page but details don't seem being filled in at "page level" but in another way. This as the page does a submit validation check and the submitted phone number is e.g. " LbXwjLfDDTFkIuBkPP " something my validator doesn't allow for.
Also other details are like:
Name: Bjmpynut
Organisation: ahTKXyxtYnCdo
Position: Bjmpynut
Phone: LbXwjLfDDTFkIuBkPP
Email: gipnpmhk at uohrokgr.com
All looks very suspicious. Any clues how this could happen at all and how to prevent this?
The webpage in question is at http://www.relacs.co.nz/ContactUs.php
The email creator resides in the post process of the page like:
if($_POST['Submit']=="Submit")
{
$Name = $_POST['InputName'];
$Email = $_POST['InputEmail'];
$Phone =$_POST['InputPhone'];
$Company = $_POST['InputCompany'];
$Position = $_POST['InputPosition'];
$Subject = $_POST['Subject'];
$Comment = $_POST['InputComment'];
$body = "Name: $Name\n\n";
$body.= "Company: $Company\n\n";
$body.= "Position: $Position\n\n";
$body.= "Phone: $Phone\n\n";
$body.= "Email: $Email\n\n";
$body.= "Subject: $Subject\n\n";
$body.= "Comment: $Comment";
$Receiver = "info at relacs.co.nz" ;
$send = mail($Receiver, "Feedback website - RELACS", $body, "From: $Email");
$Msg = "Thank you $Name for your feedback. We will get back to you ASAP";
}
Thanks for any help and/or suggestions.
John Ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listserver.123.net.nz/pipermail/delphi/attachments/20140319/dc6d8672/attachment.html
More information about the Delphi
mailing list